CVE-2026-44283

EUVD-2026-30345

14.05.2026, 18:16

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	0 NONE	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Affected Products (NVD)

Vendor	Product	Version
etcd	etcd	𝑥 < 3.4.44
etcd	etcd	3.5.0 ≤ 𝑥 < 3.5.30
etcd	etcd	3.6.0 ≤ 𝑥 < 3.6.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

etcd

bookworm	no-dsa
bullseye	no-dsa
forky	3.5.30-2 fixed
sid	3.5.30-2 fixed
trixie	no-dsa

Azure Linux Releases

Azure Package

Release

etcd

Azure Linux 3.0

0:3.5.30-2.azl3

fixed

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5